My bleak tech reality: You can't trust anyone or anything, anymore

Two-factor authentication? Fine, if you trust the Feds

Common Topics

Opinion Virtually everything we work with on a day-to-day basis is built by someone else. Avoiding insanity requires trusting those who designed, developed and manufactured the instruments of our daily existence.

All these other industries we rely on have evolved codes of conduct, regulations, and ultimately laws to ensure minimum quality, reliability and trust. In this light, I find the modern technosphere's complete disdain for obtaining and retaining trust baffling, arrogant and at times enraging.

A simple problem

Let's use authentication systems as a fairly simple example. Passwords suck, we all know they suck, and yet the majority of us still try to use easy to remember (and thus easy to crack) passwords for virtually everything.

Two-factor authentication is a pain. I have to log in to over 20 different networks, websites and so forth every day. That number is only going to increase. I am not whipping out my phone and punching in a random string of numbers every time.

When you factor in session time-outs I probably have to enter a password over 100 times a day. Entering a password, pulling out my phone, bringing up the relevant application and then entering the code takes on average 30 seconds per login. If I were to use two-factor authentication for everything I would spend 50 minutes of every day just logging into things! This is inherently unsustainable.

The other alternative is a password manager. Password managers come in two basic types: ones that live on your local system and ones that store their information on a remote system.

Much to both Microsoft and Apple's dismay, the era of individuals using only one device is long over. I have two smartphones, a tablet, a netbook, a notebook, a luggable, a desktop and three personal virtual machines. All of which get used every single day. I am an edge case, but in technology, today's edge case is tomorrow's mainstream.

This means that in the real world the system-local password manager is completely useless. If I am going to generate some uncrackable, randomly generated password string and store it in my password manager, then I need to get at that password from any device I use. This means I need a centrally accessible password store. Once more, this bifurcates my options.

The first option is to use a cloud-based service like LastPass. LastPass is amazing - simple to use and effective. It has browser plug-ins for all major browsers that can autocomplete your passwords for sites you have to go to, and it generally makes the whole process of logging in as unobtrusive as possible.

The basics of the service are that you put all of your passwords into LastPass and it stores them in the LastPass cloud. You then log in once (per browser) and LastPass handles your authentication to all websites you visit.

Of course, this still means having a password that you can realistically remember in order to get into LastPass in the first place. This might seem like a single point of attack, but the software solves it by offering various forms of two-factor authentication. So you still have to drag out the smartphone – or use the fingerprint reader – but only once, per browser, per system, per day.

The second option is to create something like LastPass but host it on a server you control. The problem with this approach is that every version of this kind of software I've seen so far is utterly pants and comes nowhere near to LastPass in terms of usability.

Trust factors into authentication

Both these options have their own significant problems. The centralised LastPass store is an unbelievably tempting target for every ne'er-do-well on the planet. Although it is defended by a team of über cyber ninjas, if LastPass should fall, everyone who uses it is screwed.

LastPass doesn't store your master password anywhere that anyone can get at it, but an encrypted copy of your passwords are stored on their servers; if you've been paying attention to advances in password and encryption cracking techniques, you'll know the "only got the encrypted copy" response is not nearly as comforting today as it once was.

While you would be far safer if you used random generated passwords for everything – which is sort of the point of LastPass in the first place – you can store non-randomly generated passwords within LastPass as well. Those passwords would ultimately be quite vulnerable.

Far more worrying to me than the somewhat difficult to imagine prospect of a random criminal breaching LastPass's security, downloading all my passwords and then decrypting them, is the vulnerability of those passwords to the United States government.

The US government has been pretty open over the past decade about the fact that it simply does not care one whit for privacy, civil liberties and other such petty concerns. Certainly, the US PATRIOT Act ensured that non-US citizens have even fewer rights than the (already heavily degraded) few that remain to Americans, something that has been upheld in court but which remains contentious (PDF, 24 pages).

Even assuming that LastPass has no back doors by which it can find out what the passwords are, US law lets the government demand that LastPass turn over the encrypted passwords without even telling the individual affected by the order. The US government measures their computing in acres; they can find your passwords if they really want to.

Assuming that there was a Last-Pass-Alike that I could install on my own servers, I could solve one trust issue – the fact that I don't trust the individuals who work for the US government not to abuse their powers – by ensuring that the password storage is located in my country and subject only to my nation's laws. (An issue that many are concerned about.) That's a great first step, but it falls down on the other side of the equation.

The only security from criminal attack I could gain by striking out alone is that of herd immunity: the hope that so many people deploy the same solution I use that the odds of them attacking my setup become small. That's known as "gambling", because a concerted effort would fold my servers like a cheap tent - even if I was doing my best to defend them.

A centralised cloud service like LastPass defended by the top industry experts in the field is going to be far more secure than anything I run on my own servers. I'm not a security expert, like one of the guys LastPass hires to audit their design and implementation. I am certainly not as good as all of them put together.